Quote:
Originally Posted by joec@home
Going back to the initial question of detection of a Denial of Service attack, I tend to take a completely different approach and simply check per server rather than tying to get information per website. The first question is a matter of is the traffic malicious or not? This does not include flood attacks as that is legitimate traffic at least when observed from the network layer. Start by placing a watch on the network stack, CTRL+C to exit the watch. If you see any reported numbers climbing by more than 1000 points per screen refresh then you have malicious packets hitting the server. However even at 1000 points per screen refresh would be considered a very small attack. More like 10,000 points per screen refresh would be a good solid attack. Something of this nature you would want to block at the network level if possible rather than a software firewall.
Code:
watch -d "netstat -s|egrep -i '( failed | unreachable | SACK | DSACK | FSACK | resets | retransmited | RcvbufErrors: | SndbufErrors: )'"
Now for flood attacks against the web service, you would want to get an IP address count. Sometime when I have spare time and the need I need to write a better script, but this is done in 2 parts. The first script checks the IPv4 stack, and the second checks the IPv6 stack. The scripts looks for any single IP address with more than 10 connections, this can be raised as needed by adjusting the line "awk {'if ($1>10){print $0}'}". For other services you would simply change the port from the line "grep ':80 '". Now the catch is that a lot of website programmers are causing issues with this in order to raise their google rankings, or setup the site to play well with load balancing by proxies. Using images as examples, instead of linking internally they will link publicly. img src=http://site.com/folder/image.jpg instead of img src=folder/image.jpg. The second does not cause additional connections to the website per IP address, the second does. Also if you have a site that is attractive to some 3rd world countries connecting, they may have a proxy server per geographic region. This will have everyone behind the proxy connecting from one IP address. So for these reasons you have to give a bit of elbow room when checking the security by this method.
Code:
echo '##### IP Connection Check Report #####' ;\
netstat -nalp \
| grep ':80 ' \
| grep -v qmail-remote \
| awk {'print $5'} \
| cut -d: -f1 \
| sort \
| uniq -c \
| awk {'if ($1>10){print $0}'} \
| sort -nr ;\
echo '##### End IP Connection Check Report #####'
Code:
echo '##### IPV6 Connection Check Report #####' ;\
netstat -nalp \
| grep ':80 ' \
| grep -v qmail-remote \
| awk {'print $5'} \
| cut -d: -f4 \
| sort \
| uniq -c \
| awk {'if ($1>10){print $0}'} \
| sort -nr ;\
echo '##### End IPV6 Connection Check Report #####'
The two common method of protection against flood attacks are to keep Apache tuned on a regular basis to adjust for changes in the traffic patterns, and to setup a software firewall with rate limiting. The following article covers rate limiting for SSH, simply a port number change and making it a bit more tolerant would suffice for Apache. |
Hello Joe,,
thank you man alot you really helped me with this very great info so much ,
this info learned me so much & step me to the right step to start fighting this atacks, & also your script & shell command does alot ot me
Senior Nbomr helped with the script that i wanted & asked for ,which will help me in determining which website is under attack or flood
& you Joe helped me to understand the attack & how to block & deal with it
many thanks for you both Senior Nbomr & mr Joe
both of you accept my best regards
